Tech Tip: Lock down Exchange Server

While Exchange is a great enterprise e-mail server, the default security on this server is minimal. Learn how you can properly secure your network.

By Mike Mullins

If your organization runs a Windows-based network, odds are good that it also runs Microsoft Exchange Server. But while Exchange is a great enterprise e-mail server, the default security on this server is minimal.

To properly protect your network, you need to add another layer of protection. You should adhere to two basic security principles that apply to all servers: Secure the installation, and secure the ports.

Lock down the installation

Exchange Server 2000 and Exchange Server 2003 no longer require a dedicated service account, which is a tremendous boost in security. Among the most common entry points for hackers are privileged service accounts.

Users rarely change the passwords for privileged service accounts, and potential hackers could easily read them using tools such as lsadump2.exe. If you've recently upgraded your server from Exchange 5.5, I strongly suggest that you disable the old Exchange service account.

Whether you're upgrading or performing a clean install, Exchange requires the installation of several components from Internet Information Services (IIS), including NNTP, SMTP, and a Web service. These services provide components that are necessary for Exchange to function.

However, unless you specifically need to run any of these services, you should lock them down.

  • NNTP: Unless you're running a news server for your clients, you should stop and disable the NNTP service.
  • SMTP: This service delivers and receives mail from the Internet. You should leave this service enabled and running.
  • Web service: Running a Web service on your enterprise Exchange Server is a big point of confusion. If you're not running Outlook Web Access (OWA) from the same server, you don't need to run the Web service. You must install it, but you should stop and disable the service.

Just because you've disabled a service doesn't mean you shouldn't take steps to secure the vulnerabilities associated with that service. In particular, the Web service is one area that deserves special attention.

For a good reference on the steps required to secure the Web service in case a virus or well-meaning admin accidentally turns it on, refer to the previous edition of the Security Solutions e-newsletter ("Take these steps to secure your IIS Web server," June 25, 2004).

Scan your ports

By default, Exchange Server listens on more than 30 ports for connections to various services. If you're unsure about which ports map to a specific Exchange function, check out Microsoft Knowledge Base article 278339.

After you know which TCP and UDP ports your Exchange Server is listening on, you can secure the server based on its role within your environment. If you can't identify or stop the service, use an access control list to filter the traffic before it hits your Exchange Server.

If you need a tool to scan your Exchange Server for listening ports, try the CurrPorts utility. This tool displays a list of open TCP/IP and UDP ports, including information about the service or program that opened the port.

Final thoughts

Exchange Server is the heart of your Windows messaging network. The default installation includes a variety of services, so you should customize the installation to suit your enterprise needs. Protecting this server is simple once you apply a few well-tested principles of secure operation.

Mike Mullins has served as a database administrator and assistant network administrator for the U.S. Secret Service. He is a Network Security Administrator for the Defense Information Systems Agency.

Editor's Picks

Free Newsletters, In your Inbox